Windows Server TechCenter >
Windows Server Forums
>
Security
>
Data recovery of the certificate database
Data recovery of the certificate database
- Hi All,
Currently I'm designing a disaster recovery plan for the Windows 2k8 PKI of a large enterprise. One of the issues I found was the following:
When a data corruption disaster occurs and the certificate database get corrupted it is possible to restore the database from the most recent backup using certutil. However, all certificates issued between the last backup and the failure of the database won't be restored. These certifcates will stay valid up till their expiry date. Because they are not present in the CA database anymore they have become irrevocable. This might pose a security risk in case that one of these certificates has been stolen.
I assume that I'm not the only one encountering this issue. Therefore I wonder how other companies have mitigated this risk.
We use a 2-tier hierarchy with two issuing CAs. Both CAs have their own jet database. Both issuing CAs are backed up every night (but this is not enough).
Some options I'm considering:
- Creating CA clusters with a SQL database and then using the SQL possibilities for data recovery (but is this even an option?)
- Creating an automated backup each time a new certificate is issued
- Accepting the risk (maybe with more backups each day)
- Using some form of offline administration to know which certificates are issued to whom and in case of a disaster destroying the 'orphaned' certificates.
Maybe I'm missing something obvious, but I'm not an adept in the world of Microsoft PKI and the people here within the company are unable to offer a solution.
Thanks in advance for helping me.
Answers
- So, here is a way to import certificate to CA database. This is maded for cases when CA was partially restored from backup. But how??? Perhaps Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool — PowerShell can help us? Lets go to example:
# read certificate file to byte array: $cert = [System.IO.File]::ReadAllBytes('path\file.cer') # create ICertAdmin2 object $CertAdmin = New-Object -ComObject "CertificateAuthority.Admin.1" # import certificate to database $CertAdmin.ImportCertificate("ServerName\CA Name", $cert, 2)This means that you only need to have this certificate file.
As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, PowerShell.exe!
http://www.sysadmins.lv- Proposed As Answer byOndrej SevecekMVPFriday, October 23, 2009 8:33 AM
- Marked As Answer bymkleij Tuesday, October 27, 2009 7:31 AM
All Replies
- So, here is a way to import certificate to CA database. This is maded for cases when CA was partially restored from backup. But how??? Perhaps Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool — PowerShell can help us? Lets go to example:
# read certificate file to byte array: $cert = [System.IO.File]::ReadAllBytes('path\file.cer') # create ICertAdmin2 object $CertAdmin = New-Object -ComObject "CertificateAuthority.Admin.1" # import certificate to database $CertAdmin.ImportCertificate("ServerName\CA Name", $cert, 2)This means that you only need to have this certificate file.
As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, PowerShell.exe!
http://www.sysadmins.lv- Proposed As Answer byOndrej SevecekMVPFriday, October 23, 2009 8:33 AM
- Marked As Answer bymkleij Tuesday, October 27, 2009 7:31 AM
- Thank you, I asked the programmers here to create a script around these lines.
- Tell me if you will need a help with PowerShell script.
http://www.sysadmins.lv
